MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
SHA3-384 hash: 9ebfbebffca9ca3d91157ea5a183a8c10ad073de485e4b04669ab5a4ee232dbc6fa74f3a4d34e0245be39e5fad8c4218
SHA1 hash: 50e2c7caf7dd0f826bc6e814bd62fbb39982ceed
MD5 hash: cba263871219062d981111b00cc131fc
humanhash: aspen-speaker-oxygen-juliet
File name:7078612
Download: download sample
Signature Gozi
Create hunting rule
File size:507'904 bytes
First seen:2022-11-23 09:42:25 UTC
Last seen:2022-11-23 11:37:53 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash b7fa5d0a561f82b8d27459b3b4a585bc (1 x Gozi)
ssdeep 6144:VcmfGth2n/4QpDArdVgncHm3pPXig93bNvKQ7lzLNc0RMkHsBAih:XYwFxAmcHm5vigDvKQBzTM/f
Threatray 3'258 similar samples on MalwareBazaar
TLSH T12EB4F12BA519A87DCCA041B73C53B2B8FADE18868341D1DF3A047D80FD945DA563E1BB
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter VirITeXplorer
Tags:dhl italy dll Gozi Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337534/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.1287.28897.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/637deb28559d07a06f46f869/reports/0d546806-0bf8-497d-bbe4-e7fdd5052aa0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98b33a96-bcb7-42c6-823e-a12b8eb04611
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119576
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Self deletion via cmd or bat file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752294 Sample: 7078612.dll Startdate: 23/11/2022 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 4 other signatures 2->69 9 mshta.exe 19 2->9         started        11 loaddll32.exe 1 2->11         started        process3 process4 13 powershell.exe 1 28 9->13         started        17 cmd.exe 1 11->17         started        19 conhost.exe 11->19         started        file5 55 C:\Users\user\AppData\...\ogaysol0.cmdline, Unicode 13->55 dropped 99 Injects code into the Windows Explorer (explorer.exe) 13->99 101 Writes to foreign memory regions 13->101 103 Modifies the context of a thread in another process (thread injection) 13->103 105 2 other signatures 13->105 21 explorer.exe 1 3 13->21 injected 24 csc.exe 3 13->24         started        27 csc.exe 3 13->27         started        29 conhost.exe 13->29         started        31 rundll32.exe 6 17->31         started        signatures6 process7 dnsIp8 83 Changes memory attributes in foreign processes to executable or writable 21->83 85 Self deletion via cmd or bat file 21->85 87 Disables SPDY (HTTP compression, likely to perform web injects) 21->87 89 Creates a thread in another existing process (thread injection) 21->89 34 cmd.exe 1 21->34         started        37 RuntimeBroker.exe 21->37 injected 51 C:\Users\user\AppData\Local\...\ogaysol0.dll, PE32 24->51 dropped 39 cvtres.exe 1 24->39         started        53 C:\Users\user\AppData\Local\...\bplkxjdz.dll, PE32 27->53 dropped 41 cvtres.exe 1 27->41         started        57 supernetwork.top 62.173.149.9, 49715, 80 SPACENET-ASInternetServiceProviderRU Russian Federation 31->57 59 internetcoca.in 172.105.103.207, 49718, 80 LINODE-APLinodeLLCUS United States 31->59 61 3 other IPs or domains 31->61 91 System process connects to network (likely due to code injection or exploit) 31->91 93 Writes to foreign memory regions 31->93 95 Modifies the context of a thread in another process (thread injection) 31->95 97 2 other signatures 31->97 43 control.exe 1 31->43         started        file9 signatures10 process11 signatures12 71 Uses ping.exe to sleep 34->71 73 Uses ping.exe to check the status of other devices and networks 34->73 45 conhost.exe 34->45         started        47 PING.EXE 1 34->47         started        75 Changes memory attributes in foreign processes to executable or writable 43->75 77 Injects code into the Windows Explorer (explorer.exe) 43->77 79 Writes to foreign memory regions 43->79 81 4 other signatures 43->81 49 rundll32.exe 43->49         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 09:43:06 UTC
File Type:
PE (Dll)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mx3ipjoa45l43drjn6fqiu5so4tokalvalut3s4dphkz72oak2rq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da
Gozi
2fffec7d345d16c2480ea2f3f2e046e220488486c81cf7e1c14adfab890ec0b1
Gozi
72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8
Gozi
c0e28d4e88c59688657c839c344e6c1289002ef0ba461ebbf3cd4b75949312e9
Gozi
e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3
Gozi
f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711
Gozi
+ 3'248 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/221123-lpxjxafd3x/
Behaviour
Suspicious use of WriteProcessMemory
Gozi
Malware Config
C2 Extraction:
config.edge.skype.com
meganetwork.top
supernetwork.top
internetcoca.in
31.207.46.124
139.60.163.161
dendexmm.com
Unpacked files
SH256 hash:
ba8b9c888d1e6f4e6251217f72f6fe13b2e4a58918af0d120edb5508d90dbade
MD5 hash:
067b4232f5e6a7e954094c76c521b05d
SHA1 hash:
97ba6f1793b9da6906ce3179d633efd11d366fbf
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5d1c65f6-f096-48ca-b7ef-57c54357a52e/
SH256 hash:
cc0cb95d4d21ab9e4c5b39851b1bd410d90e8987ada281cd3230191c634c03ea
MD5 hash:
359233bdb61328d978c13124f3ebdada
SHA1 hash:
be18fa0cbfb40743da25309fc6346716fd93a39f
Link:
https://www.unpac.me/results/5d1c65f6-f096-48ca-b7ef-57c54357a52e/
SH256 hash:
65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
MD5 hash:
cba263871219062d981111b00cc131fc
SHA1 hash:
50e2c7caf7dd0f826bc6e814bd62fbb39982ceed
Link:
https://www.unpac.me/results/5d1c65f6-f096-48ca-b7ef-57c54357a52e/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65f687a5c0e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337534/

Comments